[Reserved] Constructing the Rules of IPTables in the Firewall to build a firewall

xiaoxiao2021-04-01  197

In general, iptables already included in the Linux release, you can run iptables --Version to see if the system has iptables installed. In the Fedora Core 1 I used, the installed version is iptables v1.2.8. If your system does not install iptables, then you can download from the following address: http://www.netfilter.org/

View rule set

Although the above is a brief introduction to iptables, we may need to know more complete information, then we can run the full introduction to all commands and options, you can also run iptables help to view a quick help. To see an existing iptables plan set in the system, you can run the following command:

iptables list

Below is an iptables when there is no planning:

CHAIN ​​INPUT (Policy ACCEPT)

Target Prot Opt Source Destination

Chain Forward (Policy ACCEPT)

Target Prot Opt Source Destination

Chain Output (Policy ACCEPT)

Target Prot Opt Source Destination

As shown in the example above, each packet must pass through one of the three built-in chains (Input, Output, and Forward). Filter is the most commonly used table, which sets all of the basic syntax of all table rules: iptables [-t table] Command [Match] [Target].

In reality, it is not necessary to use all the options listed here, nor must it be in this order. Of course, this is a convention because rules are generally relatively long. For clarity, it is best to follow this order.

In the case where there is no specified rule table, the Filter table used by default. The three most commonly used objectives in the Filter table are Accept, Drop, and Reject. The DROP will discard the packet and no longer handle it. Reject will transfer the error information to the host sent by the packet. Although there will be some expected impact, it is still very useful in many times.

Increasing rules

The rules in this example will prevent packets from a particular IP range because the IP address range is suspected of being a large number of malicious attackers in the event:

# iptables -t filter -a input -s 123.456.789.0/24 -j drop

To learn more about iptables detailed parameters and command formats, use Man iptables. It can be said that now we have a bad attacker on the Internet, but no matter what to say, we can't have simple revenge because of hate them, at least this kind of thing cannot happen in your network. Therefore, we can easily block all the packets of the attacker IP address, which is only slightly different:

# iptables -t filter -a output -d 123.456.789.0/24 -j drop

Note that the A option here, as mentioned earlier, use it to explain the existing chain add rules.

Delete rule

The malicious attacker on the network is always changing, so we must also constantly change IP. Suppose we understand an online attacker transferred to a new IP address, and the old IP address is assigned to some innocent users, then the user's packets cannot pass your network. In this case, we can use a command with the -D option to delete an existing rule:

# iptables -t filter -d output -d 123.456.789.0/24 -j DROP Default Policy Create a significant time with great flexibility, can withstand the rules that can resist various accidents. For those who don't want to do this, the most basic principles are "first refused all packets, then allowed". Below we come to set the default rules for each chain:

# iptables -p input drop

# iptables -p forward Drop DROP

# iptables -p output accept accept

Here the options -p The strategy for setting the chain, only three built-in chains have a policy. These strategies can make information unlikely, but information flow is not allowed. But many times, we still need to receive external information. You can use the following command at this time:

# iptables -t filter -a input -s 123.456.789.0/24 -j accept

SYN's use

We can't close all ports, which will complete our own "separators". We can't only specify some ports to open, because we can't preview which port will be used. In fact, simply allowing the destination to traffic for a particular port that will be meaningless to prevent malicious attacks. So how can we set a valid rule, which allows normal users to pass normally, but also prevent malicious attackers from accessing our networks?

For those who just start using iptables, we can make full use of the SYN identity to prevent those unauthorized access. Because iptables only detects headers of the packet, it will not increase the payload. In fact, many other useful packet analysis are based on iptables.

For example, when a web surf is performed, a request is sent from your PC to a web server on some of the other places, then the server will respond to request and send you back a packet, and get one of your system. Temporary port. Different from the response request, the server does not care about what you are transmitted. This can use this feature to set a rule to prevent all TCP connections that have not been authorized by your system:

# iptables -t filter -a input -i eth0 -p tcp --syn -j drop

The -i refers to the NIC, and -p refers to the protocol, and SYN indicates the TCP packet with the SYN identity set. From this we can see that the understanding of TCP / IP will be very beneficial to maintain network security. SYN is used to initialize a TCP connection. If you don't run any servers on your own machine, others will naturally not send you SYN packets. At this point, someone will say: Why do you have trouble? Indeed, we have a simpler way to create a firewall, and there are also a lot of good software to help us build your own rule set, but we should be clear, the easiest way, often not the best way. Since we have a better way, why not use it? Sharing an Internet connection network address translation and IP camouflage can implement multiple hosts sharing an Internet connection, and this LAN can be a multi-system local area network consisting of Linux and Windows systems. Suppose now we have two network cards, where Eth0 is "public" network card, Eth1 is "private" network card. In other words, ETH0 is assigned a static, routed IP address, and Eth1 is assigned to a private, IP that cannot be routed, means that the IP is the LAN. To implement the above features, we need to add some chains to the NAT and Filter tables:

# iptables -t nat -a postrouting -o eth0 -j masquerade # iptables -t filter -a forward -i eth0 -o th1 -m state --state

Related, ESTABLISHED -J ACCEPT

# iptables -t filter -a forward -i eth1 -o eth0 -j accept

This shows the value of a stateful packet detection. Note that we are here to implement inflow packets is only allowed when it belongs to an existing connection, and all packets from the flow of flows from the LAN have been allowed (Note: Filter here is the default table. But it is not necessary). The first rule makes all the information from which it comes from firewall machines, and does not show there in behind the firewall.

The following example is to set the default policy for the Forward and PostRouting chain. When using camouflage, there is a default PostROUTING DROP policy. Otherwise, it is possible to have a malicious user to break through the gateway and disguise itself. identity of.

# iptables -t filter -p forward Drop

# iptables -t Nat -P PostRouting Drop

The following example is for dial-up connection settings, which can dynamically assign IP addresses:

# iptables -t nat -a postrouting -o ppp0 -j masquerade

The rule saving Using the script change rule is: Change each rule to call the command iptables, and call iptables every time, it first extracts the entire rule set in the NetFilter kernel space, then insert or attach, or Do other changes, finally, then insert the new rule set from its memory space into the kernel space, this obviously spends a lot of time. In order to solve this problem, you can use the iptables-save and restore. Iptables-save is used to save the rule set into a special format text file, and iptables-restore is used to reload this file into the kernel space. The best place in these two commands is that one call can be loaded and saved, and iptables should be called once like each rule in the script. Iptables-save runs once, you can extract the entire rule set from the kernel and save it to the file, and iptables-restore is loaded with a rule table each time. In other words, for a large rule set, if you use the script, then these rules will be uninstalled, install many times, and we can now save the entire rule set once, it is once. A table, which saves a lot of time. So, once the test results make you satisfied, you can save them as scripts:

# iptables-save> iptables-script

Now, all rules in the packet filtering table are saved in the file iptables-script. Whenever you re-boot the system, you can use the iptables-restore command to restore the rule set from the script file to the packet filter table, the recovery instruction is as follows:

# iptables-restore iptables-script

If you are willing to automatically recover the rule set each time you boot your system, you can put the commands specified above in any of the initial shell scripts.

In fact, most issues provide users with a file that can be loaded, allowing users to edit rule sets, and most of the issues have a pre-configured firewall. Different release profiles are in the same way, we can use the command locate iptables to find the configuration file. This profile is located in / etc / sysconfig / iptables for Red Hat or Fedora Core. The initial content of this file is as follows: 1 # FireWall Configuration

2 * Filter

3: INPUT [0: 0]

4: Forward [0: 0]

5: Output [0: 0]

6

7 # you rules here

8

9 commit

It is recommended to change its basic frame to the following:

1 * Filter

2: Input Drop [0: 0]

3: Forward Drop [0: 0]

4: Output Accept [0: 0]

5

6 # allow local loopback connects

7 -A Input -i Lo -j ACCEPT

8

9 # Drop Invalid Connections

10 -A INPUT -M State --State Invalid -j Drop

11-Output -m State --State Invalid -j Drop

12 -A Forward -M State --State Invalid -j Drop

13

14 # allow all established and related

15 -A INPUT -M State --State Established, Related -j Accept

16

17 # Add Anymore Rules Here

18

19 commit

转载请注明原文地址:https://www.9cbs.com/read-131272.html

New Post(0)